Add EDR agent ID discovery rule

SEKOIA-IO · Sep 20, 2024 · 9b06104 · 9b06104
1 parent 686a1bc
commit 9b06104
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/docs/xdr/features/collect/assets.md b/docs/xdr/features/collect/assets.md
@@ -148,6 +148,13 @@ The following table lists the atom types and their related event fields that are
 
 This rule enriches an existing asset with an `os` contextual property. This property is extracted from the value of all the `os` related fields of an event where its `host.name` field matches the `hostname` detection property of the asset. In addition, this rule categorizes the asset as a Server if the `host.type` contains `server`.
 
+### Attach EDR agent IDs to Host
+
+**Set the Contextual Property `edr_agent_id` to Host**
+
+This rule enriches an existing asset with the `edr_agent_id` contextual property (for example `sentinelone_agent_id`). This property is extracted from the values of `agent.id` and `agent.type`. This rule only applies to assets of `Host` category. 
+
+Note that a single host can have multiple EDR agent IDs.
 
 ### Discover unique Hosts